Screen OS

 View Only
last person joined: 10 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Multiple subnets over VPN (SSG350 to Cisco 2611)

    Posted 05-18-2009 10:41

    Good afternoon 🙂

    We have an SSG350 in our main site, as the hub in our 'hub and spoke' VPN network. On one of our spokes, we are connecting to a Cisco 2611 via a policy based VPN. My issue is that we have two subnets in the hub (10.1.1.0/24 and 192.168.1.0/24).There is already a policy based VPN established to 10.1.1.0/24 and the spoke's subnet (10.1.78.0/24). Currently, I'm trying to allow traffic to pass over the existing VPN from the remote site to the additional subnet 192.168.0/24. This is the setup I have so far:

     

    SSG350:

    -Configured with one gateway, and two separate Phase 2 rules for this spoke (one for each proxy ID pair).

    -Two sets of policies, one for each subnet.

     

    Cisco 2611

    -Tried adding the addtional subnet into existing access list for VPN

    i.e.  access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255

           access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255

    How can I route traffic from the Cisco over the currently working VPN to an additional subnet on the Juniper side? Related config for each posted below...thanks in advance for any suggestions/links to point me in the right direction!!

     

    Kara

     


    Cisco 2611 edited config:

    !
    !

    crypto isakmp policy 11
     hash md5
     authentication pre-share
    crypto isakmp key XXXXXXXXXXXX address 4.4.4.4
    !
    !
    crypto ipsec transform-set sharks esp-des esp-md5-hmac
    !
    !
    crypto map nolan 11 ipsec-isakmp
     set peer 4.4.4.4
     set transform-set sharks
     match address 101
    !
    !
    !
    !
    interface Ethernet0/0
     no ip address
     no ip directed-broadcast
     no cdp enable
    !
    interface Serial0/0
     no ip address
     no ip directed-broadcast
     encapsulation frame-relay
     frame-relay lmi-type ansi
    !
    interface Serial0/0.1 point-to-point
     description connected to Internet
     ip address 5.5.5.5 255.255.255.248
     no ip directed-broadcast
     ip nat outside
     no cdp enable
     frame-relay interface-dlci 16 IETF
     crypto map nolan
    !
    interface Ethernet0/1
     ip address 10.1.78.1 255.255.255.0
     no ip directed-broadcast
     ip nat inside
     no cdp enable
    !
    ip nat inside source route-map nonat interface Serial0/0.1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 5.5.5.4
    !
    access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 deny   ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 102 permit ip 10.1.78.0 0.0.0.255 any
    access-list 102 deny   ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
    no cdp run
    route-map nonat permit 10
     match ip address 102


     

    SSG 350 Edited Config:


    set interface "ethernet0/0" zone "Untrust"
    set interface "ethernet0/1" zone "ERP"
    set interface "ethernet0/2" zone "OPS"
    set interface "ethernet0/3" zone "Null"
    set interface ethernet0/0 ip 4.4.4.4/28
    set interface ethernet0/0 route
    unset interface vlan1 ip
    set interface ethernet0/1 ip 192.168.1.1/24
    set interface ethernet0/1 route
    set interface ethernet0/2 ip 10.1.1.1/24
    set interface ethernet0/2 route

    set ike gateway "To-RDsite" address 5.5.5.5 Main outgoing-interface "ethernet0/0" preshare "XXXXXXXXXXXXXXXXXXXXXX" proposal "pre-g1-des-md5" "pre-g1-des-sha" "pre-g2-des-sha" "pre-g2-des-md5"

    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log

    set vpn "RDsite VPN" gateway "To-RDsite" replay tunnel idletime 0 sec-level compatible
    set vpn "RDsite ERP Traffic" gateway "To-RDsite" replay tunnel idletime 0 sec-level compatible

    set vpn "RDsite VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 10.1.78.0/24 "ANY"
    set vpn "RDsite ERP Traffic" proxy-id local-ip 192.168.1.0/24 remote-ip 10.1.78.0/24 "ANY"

    set policy id 156 name "RDsite ERP Traffic" from "Untrust" to "ERP"  "net_10.1.78.0" "net_192.168.1.0" "ANY" tunnel vpn "RDsite ERP Traffic" id 0x54 pair-policy 155 log
    set policy id 156
    exit
    set policy id 155 name "RDsite ERP Traffic" from "ERP" to "Untrust"  "net_192.168.1.0" "net_10.1.78.0" "ANY" tunnel vpn "RDsite ERP Traffic" id 0x54 pair-policy 156 log
    set policy id 155
    exit
    set policy id 118 name "RDsite VPN" from "Untrust" to "OPS"  "net_10.1.78.0" "net_10.1.1.0" "ANY" tunnel vpn "Raleigh Durham VPN" id 0x17 pair-policy 117
    set policy id 118
    exit
    set policy id 117 name "RDsite VPN" from "OPS" to "Untrust"  "net_10.1.1.0" "net_10.1.78.0" "ANY" tunnel vpn "Raleigh Durham VPN" id 0x17 pair-policy 118
    set policy id 117
    exit
    set policy id 9 from "OPS" to "ERP"  "net_10.1.1.0" "net_192.168.1.0" "ANY" permit
    set policy id 9
    exit
    set policy id 10 from "ERP" to "OPS"  "net_192.168.1.0" "net_10.1.1.0" "ANY" permit
    set policy id 10
    exit


    #policy
    #SSG350
    #2611
    #site
    #vpn
    #based
    #multiple
    #2
    #to
    #Juniper
    #IPSec
    #subnets
    #cisco
    #phase


  • 2.  RE: Multiple subnets over VPN (SSG350 to Cisco 2611)

    Posted 05-19-2009 05:20

    Anyone have a suggestion? If I only knew what commands to research I could help myself. I'm not a Cisco person but most of the time just knowing what I need to look for is enough.

     

    The question put simply:

    There is an existing working VPN between a Juniper SSG350 and a Cisco 2611. There are two subnets on the Juniper side, and I need to access the secondary subnet from the Cisco. It's no problem at all from a route based Juniper to Juniper VPN. But I don't know what to do for a policy based Juniper to Cisco VPN. Thanks for any suggestions!!

     

    Kara



  • 3.  RE: Multiple subnets over VPN (SSG350 to Cisco 2611)
    Best Answer

    Posted 05-19-2009 06:21

    Solved my own issue (yay finally!!). I had everything (almost) setup correctly, I just had the access lists in the wrong order. I figured the issue stemmed from my lack of knowledge of Cisco and I was right...I had added to access list 102 (the rule for outbound traffic) my statement to deny traffic to 192.168.1.0/24 to force the traffic to travel over the vpn. However I was wrong to add it to the end of that access lists since they are processed from top to bottom, the underlined rule below wasn't getting processed. Removed the access list and re-added with the correct order and voila! Victory.

     

    Original access lists:

    access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 deny   ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 102 permit ip 10.1.78.0 0.0.0.255 any
    access-list 102 deny   ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255

     

    New access list:

    access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 deny   ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255

    access-list 102 deny   ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 102 permit ip 10.1.78.0 0.0.0.255 any